Port 1167: Cisco IP SLAs — The network's performance monitor

Port 1167 is where Cisco routers and switches receive commands to measure network performance. When a network administrator wants to know if the path between two devices is meeting service level agreements—latency under 50ms, jitter below 10ms, less than 1% packet loss—port 1167 is where that conversation starts.

What Runs Here

Cisco IP SLAs Control Protocol (cisco-ipsla) is officially assigned to port 1167 by IANA across three transport protocols: UDP, TCP, and SCTP.¹²

IP SLAs (IP Service Level Agreements) is Cisco's framework for active network performance measurement. It works by having one device (the source) send test traffic to another device (the responder), measuring exactly what happens along the way.

Port 1167 is the control channel. The source sends setup commands to port 1167 on the responder: "I'm going to send you UDP echo packets every 60 seconds. Measure round-trip time and jitter. Here are the parameters." The responder acknowledges, configures itself, and waits for the test traffic.

How It Works

The IP SLA responder listens on port 1167 (or sometimes port 1967—Cisco supports both).³ When it receives a control message, it:

1. Validates the request — Is this source authorized? Are the parameters reasonable?
2. Sets up the test — Allocates resources to respond to the incoming probes
3. Acknowledges — Tells the source "I'm ready, start sending test traffic"
4. Participates — Responds to probe packets with precise timestamps
5. Reports — May send results back through the control channel

The actual test traffic doesn't flow through port 1167. If you're testing UDP echo, the probes might use a different port entirely. Port 1167 is just the handshake—the "here's what we're about to do" conversation.

Why This Matters

Networks make promises. Your ISP promises 10ms latency to the nearest datacenter. Your MPLS provider guarantees 99.9% uptime. Your cloud provider commits to specific jitter tolerances for voice traffic.

Cisco IP SLAs is how you verify those promises. You configure tests, set thresholds, and trigger alerts when reality diverges from the contract. Port 1167 is what makes that measurement possible—it's the port that coordinates the tests that prove whether the network is lying.

In enterprise networks, IP SLAs often drives routing decisions. If the primary path's latency exceeds the threshold, the router can automatically fail over to the backup path. That decision is based on measurements coordinated through port 1167.

The Registered Ports Range

Port 1167 lives in the registered ports range (1024-49151). These ports are assigned by IANA to specific services upon application by the requesting entity—in this case, Cisco Systems.

Registered ports aren't reserved quite as strictly as well-known ports (0-1023). You might find something else running on port 1167 on a non-Cisco device. But in any network with Cisco equipment running IP SLAs, this port has a specific job.

Security Considerations

In 2013, Cisco disclosed a vulnerability (CVE-2013-1146) in how IOS software validated IP SLA packets received on UDP port 1167.⁴ An attacker who could send specially crafted packets to port 1167 could cause a device reload.

The vulnerability was specific to UDP port 1167. The alternate responder port (1967) wasn't affected. Cisco released patches and recommended:

• Filter port 1167 at network edges if IP SLAs isn't needed from external sources
• Use access control lists to limit which devices can send control messages
• Update to patched IOS versions that properly validate packets

The existence of this vulnerability reveals something true about port 1167: it's a management port. It accepts commands that configure device behavior. Any port that accepts commands is a potential attack surface if not properly protected.

Checking What's Listening

To see if something is listening on port 1167:

On Linux/macOS:

sudo lsof -i :1167
# or
sudo netstat -tulpn | grep 1167

On Windows:

netstat -ano | findstr :1167

Using nmap to scan a remote device:

nmap -p 1167 -sU -sV <target-ip>  # UDP scan
nmap -p 1167 -sT -sV <target-ip>  # TCP scan

On Cisco devices, you can verify IP SLA responder status:

show ip sla responder

Related Ports

• Port 1967 — Alternate IP SLA control port, also used by Cisco for the same protocol
• Dynamic ports — The actual IP SLA test traffic typically uses dynamically negotiated ports, not the control port

Port 1167 vs. Port 1967

Cisco documentation mentions both ports. Port 1967 is the newer default for IP SLA control protocol, while port 1167 is the original IANA-assigned port. Both work. The 2013 vulnerability only affected 1167, which is one reason some deployments prefer 1967.

But port 1167 remains the official IANA assignment and is still widely used.

Why Unassigned Ports Matter

Most ports in the registered range—including neighbors of 1167—have no official assignment. They're available for applications to use, either as officially registered services or as ephemeral ports for outbound connections.

Port 1167 is one of the assigned ones. It has a name, a protocol specification, and a company backing it. That official assignment prevents port number conflicts and creates a standard that Cisco devices worldwide can rely on.

The vast sea of unassigned ports exists so that every application doesn't need to fight over the same few numbers. But when you need coordination across vendors, across networks, across continents—you register the port, and everyone knows what it means.

Port 1167 means: Cisco performance monitoring lives here.